ComponentSpace

Forums



SAML SSO Configurations


SAML SSO Configurations

Author
Message
dvt312
dvt312
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 6
Hello,
We have a multi tenant application, so, we can have 1 or many SAML SSO Configurations for the same application.Our application is acting as LocalServiceProvider and we can have multiple PartnerIdentityProviders

I would like to know which is the best way to identify which configuration should i load when i receive the response in the AssertionConsumerURL. I was trying to add a queryparam to the URL, but that is not quite working good with some of the IDPs.

I was thinking i can loop over all the configurations and call the SAMLController.ReceiveSSO inside  try catch until i got a valid response.

My question is...If i do that loop, could i Receive an SSO response not initiated by me? i mean... other application user located in other computer is trying to do SSO Login and both did the request at the same time, so, if i do that loop, is there a chance i can Receive the SSO Response from the other user?

If yes, and my workaround is not working... What other way can you suggest to me in order to identify which configuration should i load before calling SAMLController.ReceiveSSO?

Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It's generally better to identify the tenant by some aspect of the URL. For example, this could be a subdomain name, query string parameter etc.

Looping through the various SAML configurations and calling SAMLServiceProvider.ReceiveSSO is not an optimal solution. This would require loading each SAML configuration as well as unnecessary processing when the wrong configuration is loaded.

Ignoring that for the moment, this approach should work if the partner identity provider is unique across all configurations. If that's the case, there wont be any chance of mixing up partner identity providers or users.

However, my recommendation is to use the URL to identity the tenant and not loop through configurations.

Regards
ComponentSpace Development
marcdejoya021
marcdejoya021
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 3
dvt312 - 4/21/2023
Hello,
We have a multi tenant application, so, we can have 1 or many SAML SSO Configurations for the same application.Our application is acting as LocalServiceProvider and we can have multiple PartnerIdentityProviders

I would like to know which is the best way to identify which configuration should i load when i receive the response in the AssertionConsumerURL. I was trying to add a queryparam to the URL, but that is not quite working good with some of the IDPs.

I was thinking i can loop over all the configurations and call the SAMLController.ReceiveSSO inside  try catch until i got a valid response.

My question is...If i do that loop, could i Receive an SSO response not initiated by me? i mean... other application user located in other computer is trying to do SSO Login and both did the request at the same time, so, if i do that loop, is there a chance i can Receive the SSO Response from the other user?

If yes, and my workaround is not working... What other way can you suggest to me in order to identify which configuration should i load before calling SAMLController.ReceiveSSO?

Thanks
You can use the Entity ID from the saml response you receive to determine the set of configurations to use for that IDP.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That's a possibility. It assumes that the same partner identity provider isn't specified in multiple SAML configurations.

Once the SAML configuration has been selected, the issuer field (equivalent to the entity ID) in the SAML message is used to lookup the partner identity provider configuration within the SAML configuration.  

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search